script fails if acme-dns runs against staging (the default)

Question

script fails if acme-dns runs against staging (the default)

leggewie opened this issue 3 years ago · 2 comments

the script fails when the acme-dns service is running against staging which is the default.

config.cfg: tls = "letsencryptstaging"

2021-11-04 23:17:22,598:ERROR:certbot.hooks:Error output from manual-auth-hook command acme-dns-auth.py:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 485, in wrap_socket
    cnx.do_handshake()
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1915, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1647, in _raise_ssl_error
    _raise_current_error()
  File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]

One way to hack around this would be to skip TLS-cert verification. The calls to requests.post can be changed in three places. A better solution would be of course for acme-dns to get certs from standard letsencrypt during the initial setup
even when running against staging.

issue24.patch.txt

Answer 1 · 2022-06-01T15:59:21.000Z

Hi,

do you think this has a relation with /var/log/syslog growing at high speed due to the following repeated error message:

Jun 1 17:54:55 test acme-dns[555]: time="2022-06-01T17:54:55+02:00" level=info msg="2022/06/01 17:54:55 [INFO][FileStorage:api-certs] Lock for 'cert_acme_auth.example.org_https://acme-staging-v02.api.letsencrypt.org/directory' is stale; removing then retrying: api-certs/locks/cert_acme_auth.example.org_httpsacme-staging-v02.api.letsencrypt.orgdirectory.lock"

Thanks
Best regards